Fix GnuTLS validation of the CACert Chain. Closes #4458. If certificate validation fails partway through, check the last validated certificate and, if it's in the CA store, consider the chain validated. This allows GnuTLS to validate the CAcert Class 3 intermediate without requiring us to accept MD5 signatures anywhere.